Setting Up Enterprise Manager to Administer Recovery Appliance

To enable Enterprise Manager to administer Recovery Appliance, you must deploy the management agents to each compute server, then discover the targets for the Recovery Appliance. The targets include the cluster, database, listeners, Automatic Storage Management (ASM), and the appliance itself.

Work with your Oracle support engineer to perform the tasks in this section.

Note:

See Doc ID 1929507.1 for information about the plug-ins and patches required for Zero Data Loss Recovery Appliance management, monitoring, and protected database management.

Deploying the Enterprise Manager Agents

If your Recovery Appliance is in compliance mode, you must enable SSH access using racli enable ssh before you can deploy the Enterprise Manager Agents. The process for enabling SSH access requires quorum approval. After the agents have been deployed on all the compute servers, disable SSH access with racli disable ssh.

Perform the following steps to deploy a management agent to each Recovery Appliance compute server:

  1. On each compute server, create a directory owned by oracle:oinstall in which to install the agent.
  2. Log in to Oracle Enterprise Manager Cloud Control (Cloud Control) as a user with privileges to discover and manage a Recovery Appliance target.
  3. From the Setup menu, choose Add Target, select Add Targets Manually, choose Add Host Targets, then click Add Host...

    The Add Host Targets: Host and Platform page appears.

  4. From the Platform list, select Same for All Hosts.
  5. For each compute server, click Add, enter the fully qualified host name, and select Linux x86-64 in the Platform list. Then click Next.

    The Add Host Targets: Installation Details page appears.

  6. Specify the Agent installation directory that you created in Step 1, Named Credential for the user that will own the Agent installation, and other requested properties, then click Next.

    The Add Host Targets: Review page appears.

  7. Click Deploy Agent to begin deploying Agents to all Recovery Appliance compute servers.

    The Add Host page appears, displaying warnings about remote prerequisite checks in the Agent Deployment Summary section. The Remote Prerequisite Check Details section might indicate that the root.sh script could not be run due to insufficient privileges. You can fix this in a subsequent step.

  8. To resume the deployment, click Continue, and select All Hosts.

    The Add Host page displays a message that the deployment was successful.

  9. If the root.sh script was not automatically run, follow to the on screen instructions to run root.sh manually on each compute server.
  10. Return to the Add Host page, and click Done.
  11. If your Recovery Appliance was in compliance mode before starting these steps and you enabled SSH access in order to deploy the Enterprise Manager, you should disable SSH access now with racli disable ssh.

Discovering the Cluster

Perform the following steps to discover the Recovery Appliance cluster.

Note:

If the Recovery Appliance is TLS-enabled, make sure the TCPS port and protocol are specified during the discovery of the cluster, the Recovery Appliance database, and the Recovery Appliance target.

  1. From the Setup menu in Cloud Control, choose Add Target, select Add Targets Manually.

    The Add Targets Manually page appears.

  2. Select Add Targets Using Guided Process.
  3. From the Target Types drop-down list, select Oracle Cluster and High Availability Service, then click Add Using Guided Process...

    The Add Target: Cluster and Oracle High Availability Service page appears.

  4. Enter the host name of one of the compute servers on the Recovery Appliance, then click the Search icon.

    The Select Targets dialog appears.

  5. Select the target host, and click Select.
  6. Click Discover Target.
  7. Review the automatically detected cluster information on the Cluster and Oracle High Availability Service page. Verify that all compute servers on the Recovery Appliance cluster are included in the list of cluster hosts and that the SCAN Name and SCAN Ports display the correct values for the ingest network, then click Save.

    When the cluster target is created successfully, the Confirmation window appears.

  8. Close the Confirmation window.

Discovering the Cluster Database Targets

Before you discover the Recovery Appliance itself, perform the following steps to discover the Recovery Appliance cluster database, listener, and ASM targets.

Note:

If the Recovery Appliance is TLS-enabled, make sure the TCPS port and protocol are specified during the discovery of the cluster, the Recovery Appliance database, and the Recovery Appliance target.

  1. From the Setup menu in Cloud Control, choose Add Target, select Add Targets Manually.

    The Add Targets Manually page appears.

  2. Select Add Targets Using Guided Process.
  3. From the Target Types drop-down list, choose Oracle Database, Listener, and Automatic Storage Management, then click Add Using Guided Process...

    The Database Discovery: Search Criteria page appears.

  4. Use the Recovery Appliance cluster name or the host name of one of the compute servers as the criteria to perform the search, then click Next.

    The Database Discovery: Results page appears, showing the Recovery Appliance cluster database is listed, along with the ASM instances and listeners on all compute servers.

  5. Select the cluster database, and click Configure.
  6. Modify the settings to use fully qualified names in the Listener Machine Name fields and 1521 in the Port fields, then click Save.
  7. Supply the monitoring credentials for the cluster database, and click Test Connection.
  8. Select the cluster ASM, configure the appropriate monitoring credentials, and click Test Connection.
  9. Ensure that the management database under Single Instance Databases (-MGMTDB) is not selected.
  10. Select all listeners except the management listener (MGMTLSNR), and click Next.

    The Database Discovery: Review page appears.

  11. Verify the information, then click Save to start monitoring the targets.
  12. Close the Confirmation window.

Discovering the Recovery Appliance

After discovering the Recovery Appliance cluster and cluster database targets, the Recovery Appliance target itself can be discovered. As part of discovering the top-level Recovery Appliance target that will include all Enterprise Manager Recovery Appliance software and hardware management functionality, a separate Recovery Appliance hardware target will also be discovered.

Perform the following steps to manually discover the Recovery Appliance target. These steps apply to Recovery Appliance not in TLS mode.

  1. From the Setup menu in Cloud Control, choose Add Target, then select Add Targets Manually.

    The Add Targets Manually page appears.

  2. Select Add Targets Using Guided Process.
  3. From the Target Types drop-down list, choose Recovery Appliance, then click Add Using Guided Process...

    The Recovery Appliance Hardware Discovery page appears.

  4. Select Discover new Recovery Appliance hardware components as targets, and click Discover Targets.

    The Recovery Appliance Hardware Discovery page appears.

  5. Select the Discover new Recovery Appliance hardware components as targets option and click on Discover Targets.

    The Recovery Appliance Hardware Discovery: Infiniband Discovery page appears.

  6. Follow the detailed instructions in all subsequent pages of the Recovery Appliance Hardware Discovery wizard, supplying all requested credentials for hardware components. On the Review page, review all hardware component details, then click Submit. The Database Machine target representing the Recovery Appliance hardware will be created, along with targets for all hardware components.

    The Target Creation Summary page appears, showing a summary of all hardware targets created, including the Database Machine target representing the Recovery Appliance hardware and all member targets for all hardware components.

  7. Click Continue With Recovery Appliance Discovery.

    The Recovery Appliance Discovery: Properties page appears.

  8. Select the Target Name for the Recovery Appliance. The Recovery Appliance Hardware target name is already filled-in with the target name discovered in a previous step.

    (If the Recovery Appliance hardware discovery was completed without completing the full Recovery Appliance discovery process, that may leave one or more Recovery Appliance hardware targets in a state where they are not associated with a Recovery Appliance target. In this case, when Recovery Appliance discovery is re-initiated from the Add Targets Manually page, the discovery process will not automatically go in to the Recovery Appliance hardware discovery wizard. Instead, the process will go directly to the Properties page to allow selection of an unassociated Recovery Appliance hardware target. In this case, the hardware target name will not be pre-filled. Click the Select Target icon to launch the Search and Select Targets popup, which shows a list of Recovery Appliance hardware targets that have not yet been associated with a Recovery Appliance target. Select the correct Recovery Appliance hardware target.)

  9. In the Recovery Appliance Monitoring Credentials section, specify the database user credentials that will be used to monitor the Recovery Appliance.

    This can be a named user with the RA$ADMIN role or a named user that has the RA$MON role.

    Click More Details to see detailed information about the credentials.

  10. In the Host Credentials section, provide the credentials for a user that has permission to access the Oracle Home of the Recovery Appliance database.
  11. Click Next.

    The Recovery Appliance Discovery: Oracle Secure Backup Domain page appears.

  12. If Oracle Secure Backup is installed on the Recovery Appliance, enter /usr/local/oracle/backup in the Installation Home field and specify the monitoring credentials for the Oracle Secure Backup domain. Otherwise, select Skip Oracle Secure Backup Domain Discovery.
  13. Click Next.

    The Recovery Appliance Discovery: Review page appears.

  14. Review the target discovery selections, and click Submit.

    The Recovery Appliance target is created.

Monitoring TLS-enabled Targets

Enterprise Manager (EM or Cloud Control) can monitor targets that use TCPS.

A wallet needs to be setup at the EM repository. This wallet should contain the certificates needed to connect to the TLS-enabled target. In addition, OMS wallet specific properties have to be set. EM has one wallet, and this wallet is used by EM to communicate with any TLS-enabled target.

Note:

EM agents that monitor TLS-enabled targets also need to have wallets created with the necessary certificates and agent properties. Refer to Monitoring TLS-enabled Targets with EM Agents
  1. Check to see if your EM instance has a wallet and its values set.
    $OMS_HOME/bin/emctl get property -sysman_pwd <sysmanPwd>  -name em.targetauth.db.pki.TrustStore

    If a wallet exists, the location of the wallet is output.

    If a location exists, it is assumed you have the wallet password.

    Verify other values are already set for the wallet:

    <OMS HOME>/bin>emctl get property -sysman_pwd <sysmanPwd> -name em.targetauth.db.pki.TrustStoreType
<OMS HOME>/bin>emctl get property -sysman_pwd <sysmanPwd> -name em.targetauth.db.pki.TrustStorePassword
  2. If a wallet is not found, create a password protected wallet.

    The location of the wallet: <oms_wallet_location>.

    The password used to protect the wallet: <oms_wallet_password>. 

    orapki wallet create -wallet <oms_wallet_location> -auto_login -pwd <oms_wallet_password>

    Listing of <oms_wallet_location> must contain a cwallet and an ewallet

  3. Set the wallet type, location, and password OMS properties.
    <OMS HOME>/bin>emctl set property -sysman_pwd sysman -name
      em.targetauth.db.pki.TrustStoreType -value PKCS12

<OMS  HOME>/bin>emctl set property -sysman_pwd sysman -name  em.targetauth.db.pki.TrustStore -value
      <oms_wallet_location>/ewallet.p12

<OMS  HOME>/bin>emctl set property -sysman_pwd
      sysman -name  em.targetauth.db.pki.TrustStorePassword -value <oms_wallet_password>

    Validate the entries using the get property call.

  4. Add certificates to the wallet from the monitored targets and restart the OMS (if a new wallet was created).
    orapki wallet add -wallet <oms_wallet_location> -trusted_cert -cert <certFile>

orapki wallet display -wallet <oms_wallet_location> -complete

    Validate the certificate is shown correctly.

    The EM wallet needs the trusted and signed certificates from Recovery Appliance.

  5. If a new wallet was created, restart the OMS.

Monitoring TLS-enabled Targets with EM Agents

Enterprise Manager (EM or Cloud Control) Agents can monitor targets that use TCPS.

A wallet needs to be setup at the EM repository. This wallet should contain the certificates needed to connect to the TLS-enabled target. In addition, Agent specific wallet properties have to be set.

  1. Create a wallet for the EM agent.
    orapki wallet create -wallet <agent_wallet_location> -auto_login -pwd <agent_password_wallet>
  2. Add certificates to this wallet.
    orapki wallet add -wallet <agent_wallet_location> -trusted_cert -cert <certFile>
  3. Set the wallet properties for the Agent.
    <AGENT_HOME>/bin>emctl setproperty agent -name connectionTrustStoreType -value PKCS12

<AGENT_HOME>/bin>emctl  setproperty agent -name connectionTrustStoreLocation -value <agent_wallet_location>/ewallet.p12

<AGENT_HOME>/bin>emctl setproperty agent -name connectionTrustStorePassword -value <agent_password_wallet>
  4. Restart the agent.
  5. Repeat from the beginning for any database being monitored that uses TLS (TCPS).

    Add the database certificate to the wallet for the agent on the database's host.

Discovering TLS-Enabled Recovery Appliance

Enterprise Manager (Cloud Control) requires a few extra steps to discover TLS-enabled Recovery Appliances and TLS-enabled databases.

Discovering a Recovery Appliance using TLS requires that the TCPS port and protocol be specified when discovering the cluster, the Recovery Appliance database, and the Recovery Appliance target.

The ZDLRA discovery wizard has an option to upload the Recovery Appliance certificate to EM. The certificate is saved in EM and used when protected databases are configured to backup to this Recovery Appliance. Certificates not added during discovery can also be added after discovery with Recovery Appliance->Target Setup->TLS Trust Certificate..

Migrating TCP to TCPS Recovery Appliance

If the Recovery Appliance was already discovered in EM using TCP:

  1. Create the EM wallet on both the OMS and the agent. Add the Recovery Appliance certificate(s) to the wallet. Set the EM properties.

  2. Edit the port/protocol properties for the cluster and cluster database target associated with the Recovery Appliance.

  3. Edit the port/protocol properties for the Recovery Appliance target itself. Upload the Recovery Appliance certificates to EM. They are used when protected databases are configured.

    From theCluster Target home page in EM, select Cluster->Target Setup->Monitoring Configuration

  4. Update Scan Port to be the TCPS port.

  5. From the Cluster Database home page in EM, select Cluster Database->Target Setup->Monitoring Configuration

  6. In the Instances section, edit each instance and update the Port and Connection Protocol.

  7. From the Recovery Appliance home page in EM, select Recovery Appliance->Target Setup->Monitoring Configuration

  8. Update all ports and protocols, including ones for the backup scan and replication scans (if needed).

Discovery and Monitoring of Database Targets using TLS

  1. Discover the database in EM, making sure to specify the TCPS port and protocol.

    Refer to Discovering and Adding Database Targets.

  2. If this is a cluster database, specify the TCPS port for the underlying Cluster SCAN port.

  3. While discovering the Cluster database, change the port for the individual database instances to be TCPS ports.

  4. If the database has already been discovered in EM using TCP, migrate this to use TCPS.

    1. Ensure that the OMS and Agent wallets have been configured as above.

    2. Ensure that OMS wallet and agent wallet(s) have the DB certificate.

    3. Change the monitoring configuration for the database. Note that if this is a cluster database, you should change the SCAN port for the underlying cluster and set the TCPS port for all the instances of the cluster database.

Configuring the protected database to backup to the TLS-enabled Recovery Appliance

Prerequisites:

  • Add the database to the Recovery Appliance using the Recovery Appliance->Protected Databases page.

  • Add the Recovery Appliance certificate to EM using the Recovery Appliance->Target Setup->TLS Trusted Certificate menu item

  1. Go to the Database home page in EM. Navigate to the Database->Availability->Backup and Recovery->Configure Backup page.

  2. Select Recovery Appliance as the destination and specify the database host credentials.

  3. Select the Recovery Appliance, VPC user and Protocol to use. The Protocol field offers the choice of TCP and TCPS protocols ONLY if the Recovery Appliance is in dual mode.

    The Configure Backup workflow detects if the database already has an existing wallet and populate the location of the wallet if one is found.

    If the wallet is a password-protected wallet, specify the generic password credential needed to open the wallet. A generic password credential can only be created using emcli today. 

    $  emcli create_named_credential -auth_target_type='<system>'  
-cred_type=GenericPassword -cred_name="<credName>" -attributes="GENERIC_PASSWORD:<walletPassword>"
    Run this command as-is with the exception of these two variables.

    • credName is the name of the generic named credential you are creating.

    • walletPassword is the password for the database wallet.

  4. Select other options as desired and then click Submit.

    A deployment procedure is submitted to configure the database. A link to this procedure is displayed in the confirmation box.

    You can also navigate to the Enterprise->Provisioning and Patching->Procedure Activity menu item to see the deployment procedure execution details.

  5. If the database has already been configured to backup to a Recovery Appliance, the Configure Backup page appears when you go to Availability->Backup and Recovery->Configure Backup.

    Provide the host credential and then invoke the Change Configuration action in the Actions menu on the right-hand corner to:

    • Change the Recovery Appliance details, or

    • Change any of the backup options (protocol, enable/disable real time redo, parallelism).

Scheduling Backups from the Datase to the Recovery Appliance

After successful configuration of backups, go to the Availability->Backup and Recovery->Schedule Backup menu item from the database home page.

On the Schedule Backup page, specify the host credentials for the database host and select how often you'd like the backups to be sent. The suggested backup strategy for backups to the Recovery Appliance is to send incremental backups daily.